(7) in the second bridge computer, if the encapsulation header has been appended 
to the first data packet, reading the encapsulation header, and determining 
therefrom whether the first data packet was encrypted, [and if not, proceeding 
to step 10, and if so, proceeding to step 81 and if it is determined that the first 
data packet has been encrypted, proceeding to step 8 and otherwise proceeding 
to step 10 ; 

(8) in the second bridge computer, determining which encryption mechanism was 
used to encrypt the firstldata packet; 

(9) decrypting the first data packet by the second bridge computer; 

(10) transmitting the ffirst data packet from the second bridge computer to the 
second host computer [,] 1 and 

(11) receiving the unencrypted first data packet at the second host computer. 

2. (Once Amended) \ The method of claim 1, wherein the new address header 
for the modified first data packet includes the address of the second bridge computer. 

3. (Once Amended) | The method of claim 2, wherein the new address header 
for the modified first data packet includes an identifier of the second bridge computer. 



4. (Once Amended) | The method of claim 1, wherein the new address header 
of the modified first data packet inbludes the address of the second host computer. 



5 . (Once Amended) 
for the modified first data packet 



The method of claim 4, wherein the new address header 
ihcludes an identifier of the second bridge computer. 



6. 



(Once Amended) 



A system for automatically encrypting and decrypting 
data packets transmitted from a fifrst host computer on a first computer network to a second 
host computer on a second compi iter network, including: 

a first bridge computer coupled to the first computer network for intercepting 
data packets transmitted Irom said first computer network, the first bridge computer 
including a first processo: ■ and a first memory storing instructions for executing 
encryption of data packet^ according to a predetermined encryption/decryption 
mechanism; 
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a second bridge computer coupled to the second computer network for 
intercepting data packets transmitted to said second computer network, the second 
bridge computer inclu iing a second processor and a second memory storing 
instructions for execut ng decryption of the data packets; 

said first host c i>mputer including a third processor and a third memory 
including instructions ipr transmitting a first [said] data packet from said first host to 
said second host; 

a first table stored in said first memory including a correlation of at least one 
of the first host computer and the first network with one of the second host computer 
and the second network, respectively; 

instructions stored in said first memory for intercepting said first data packet 
before departure from saifl first network, determining whether said correlation is 
present in said first table, and if so, then executing encryption of said first data packet 
according to said predetermined encryption/decryption mechanism, generating a new 
address header including al mechanism for identifying said predetermined 
encryption/decryption mec lanism and appending said new address header to said 
encrypted first data packet, thereby generating a modified first data packet, and 



transmitting said modified 



first data packet on to the second host computer; 



a second table stored in said second memory including a correlation of at least 



one of the first host compu 
computer and the second n 
instructions stored 
data packet upon arrival at 



7. (Once Amended) 
encrypting and decrypting data p; 



er and the first network with one of the second host 
;twork, respectively; and 

n said second memory for intercepting said modified first 
said second network, determining whether said correlation 
is present in said second table, and if so, then executing decryption of said first data 
packet according to said pi edetermined encryption/decryption mechanism, and 
transmitting the first data packet to the second host computer. 



[The method of claim 6,] A system for automatically 
kets transmitted from a first host computer on a first 



computer network to a second host computer on a second computer network, including: 

a first bridge comphter coupled to the first computer network for intercepting 

data packets transmitted from said first computer network, the first bridge computer 
including a first processor and a first memory storing instructions for executing 
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• 

\ 

encryption of data packets 


# 

according to a predetermined encryption/decryption 


mechanism; 

a second bridge cor 


lputer coupled to the second computer network for 


intercepting data packets ti 


ansmitted to said second computer network, the second 


bridge computer including 


i second processor and a second memory storing 


instructions for executing d 


scryption of the data packets; 


said first host comp 


iter including a third processor and a third memory 



including instructions for transmitting a first data packet from said first host to said 
second host; 

a first table stored fti said first memory including a correlation of at least one 

of the first host computer and the first network with one of the second host computer 
and the second network, respectively; 

instructions stored in said first memory for intercepting said first data packet 

before departure from said first network, determining whether said correlation is 
present in said first table, and if so, then executing encryption of said first data packet 
according to said predetermined encryption/decryption mechanism, generating a new 
address header and appending said new address header to said encrypted first data 
packet, thereby generating a modified first data packet, and transmitting said modified 
first data packet on to the second host computer, wherein said new address header 
includes [the] internetwork broadcast addresses of the first and second computer 
networks[.]i 

a second/ table stored in said second memory including a correlation of at least 

one of the first nost computer and the first network with one of the second host 
computer and tine second network, respectively; and 

instructions stored in said second memory for intercepting said modified first data 

packet upon arrival ai said second network, determining whether said correlation is present in 



said second table, and if so, then executing decryption of said first data packet according to 



said predetermined ei lcryption/decryption mechanism, and transmitting the first data packet 



to the second host co 



puter. 



8. The method of slaim 7, wherein said new address header includes an identifier 
of the second bridge cortfputer. 
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9. The method of cl^n 6, wherein said new address header includes the address 
of the second host computer. 



10. The method of claim 9, wherein ; 
of the second bridge computer. 




new address header includes an identifier 



1 1 . (Once Amended) I A method for transmitting and receiving packets of data 
via an internetwork from a first host computer on a first computer network to a second host 
computer on a second computer network, each of said first and second host computer 
networks, each of said first and seconn host computers including a processor and a memory 
for storing instructions for execution by the processor, each said memory storing at least [on] 
a predetermined encryption/decryptioi mechanism and a source/destination table identifying 
a predetermined plurality of sources ai d destinations requiring security for packets 
transmitted between them, the method being carried out by means of the instructions stored in 

the steps of: 

lost computer, a first data packet for transmission to 



said respective memories and includni 
(1) generating, by the first 



the second host computer, a pcrtion of the first data packet including information 
representing an internetwork address of a source of the first data packet and an 
internetwork address of a designation of the first data packet; 

(2) in the first host computer, determining whether the source and destination of 
the first data packet are amomg the predetermined plurality of sources and destinations 
identified in said source/destination table for which security is required, and if not, 
proceeding to step 5, and if jso, proceeding to step 3; 

(3) encrypting the first flata packet in the first host computer; 

(4) in the first host computer, generating and appending to the encrypted first data 
packet an encapsulation header, including: 

(a) key management information providing a mechanism for identifying 
the predetermined encryption method, and 

(b) a new address header identifying the source and destination for the first 
data packet , herefoy generating a modified first data packet ; 

(5) transmitting the first data packet or the modified first data packet from the first 
host computer via the internetwork to the second computer network; 
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(6) in the second host computer, if the encapsulation header has been appended to 
the first data packet, reading the encapsulatietfUieader, and determining therefrom 
whether the first data packet was encryf5ted, and if the first data packet was not 
encrypted [ not], ending the metlje^, and if [so] the first data packet was encrypted , 
proceeding to step 7; 

(7) in the second Yy&st computer, determining which encryption mechanism was 
used to encrypt thd^ first data packet; and 

(8) decryffting the first data packet by the second host computer. 

12/ (Once Amended) The method of claim 11, wherein the new address 
headep'fbr the modified first data packet includes internetwork broadcast addresses of the first 
and / second computer networks. 



13. The method of claim 11, wherein the source/destination table includes data 
identifying internetwork addresses of the first ahd second host computers. 




14. (Once Amended) 1 A system for automatically encrypting and decrypting 
data packets transmitted from a first host computer on a first computer network [and having a 
first host computer on a first com Duter network and] , the first host computer having a_first 



an internetwork to a second host computer on a second 
second host computer on a second computer network and] A 
a second processor and a second memory, the system 



processor and a first memory, via 
computer network [and having a 
the second host computer having 
including: 

security data storeld in said first and second memories indicating that data 
packets meeting at least cne predetermined criterion are to be encrypted; 

a predetermined e ncryption/decryption mechanism stored in said first and 
second memories; 

a decryption key stored in said second memory; 

instructions ston d in said first memory for determining whether to encrypt 
one or more data packet s, by determining whether said at least one predetermined 
criterion is met by said < me or more data packets [data packet]; 



instructions stored in said first memory for executing encryption according to 
said predetermined enci yption/decryption mechanism of at least a first [said data 
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packet] one of said one or more data packets , when said at least one predetermined 
criterion is met, for generating a new address header for said first data packet and for 
appending an encapsulation header to said first data packet and transmitting said first 
data packet to said second Kost, said new address header identifying broadcast 
addresses of the first and secbnd computer networks, said encapsulation header 
including at least said new adMress header; and 

instructions stored in said second memory for receiving said first data packet, 
determining whether it has beeA encrypted by reference to said security data in said 
second memory, and if so then qetermining which encryption/decryption mechanism 
was used for encryption, and decrypting said first data packet by use of said 
decryption key. 

15. (Once Amended) Tht system of claim 14, wherein: 

said security data comprises correlation data stored in each of said first and 
second memories [identifying at east one of said first and second memories] 
identifying at least one of said fii st host computer and said first network correlated 
with at least one of said second laost computer and said second network; 

the system further including instructions stored in said first memory for 
determining whether to encrypy data packets by inspecting for a match between source 
and destination addresses of said data packets with said correlation data. 



16. (Once Amended) / A system for automatically encrypting data packets for 
transmission from a first host computer on a first computer network to a second host 
computer on a second computer network, said first host computer including a first processor 
and a first memory including instmictions for transmitting said data packets from said first 
host to said second host, the system including: 

a bridge computdr coupled to the first computer network for intercepting at 
least a first [said] data p&cket transmitted from said first computer network, said 
bridge computer including a second processor and a second memory storing 
instructions for executing encryption of said first data packet according to a 

on/decryption mechanism; 

ded in said second memory correlating at least one of the first 
host computer and the fiW network with one of the second host computer and the 



predetermined encrypt 
information sto 
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second network, respectively; and 

instructions stored in said second memory for intercepting said first data 
packet before departure from said first network, determining whether said correlation 
is present, and if so, then executing encryption of said first data packet according to 
said predetermined encrWion/decryption mechanism, generating a new address 
header including a mechanism for identifying said predetermined 
encryption/decryption mechanism and appending said new address header to said first 
data packet, thereby generating a modified first data packet on to the second host 
computer. 



17. (Once Amended) 



v . J A method for transmitting packets of data via an 

internetwork from a first host com >uter on a first computer network to a second host 
computer on a second computer nc twork, the first computer networks including a first bridge 
computer, each of said first and se :ond host computers and said bridge computer further 
including memory storing at least one predetermined encryption/decryption mechanism and 
information identifying a predetermined plurality of host computers as hosts requiring 
security for packets transmitted tfetween them, the method being carried out according to the 
instructions stored in said respective memories and including the steps of: 

(1) generating, by the first host computer, a first data packet for transmission to 
the second host computer, a portion of the first data packet including information 
representing an internerwork address of the first host computer and an internetwork 
address of the second nost computer. 

(2) in the first bridge computer, intercepting the first data packet and determining 
whether the first and second host computers are among the predetermined plurality of 
host computers for which security is required, and if not, proceeding to step 5, and if 
so, proceeding to step 3; 

(3) encrypting tpe first data packet in the first bridge computer; 

(4) in the first bridge computer, generating and appending to the first data packet 
an encapsulation h sader, including: 

(a) key management information providing a mechanism for identifying 
the predete rmined encryption method, and 

(b) a n< ;w address header representing the source and destination for the 
data packet, thereby generating a modified first data packet; and 
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(5) transmitting the first data packet or the modified first data packet from the first 
bridge computer via the internetwork to the second computer network. 



2 



18. (Once Ariaended) A system for automatically decrypting data packets 
transmitted from a first computer to a second computer, the system comprising: 

a bridge coupled to the second computer for intercepting a data packet from 
the first computer, the data packet having an address header and a body, the address 
header including broadcast addresses of the first and second computers, the bridge 
including a processor\and a memory that stores instructions for decrypting data 
packets; 

information stc red in the memory of the bridge correlating the first and second 
computers; and 

instructions stored in the memory for intercepting the data packet, determining 
whether the information stored in the memory of the bridge correlates the first and 
second computers, amd if so, decrypting the data packet to generate a new data packet 
including a new address header, and transmitting the new data packet onto the second 
computer. 

19. (Once Amended) The system of claim 18, [where] wherein the data 
packet includes [an address header and a body, the body including] the new data packet in 
encrypted form. 



20. 



(Once 



decrypting data 



ended) [The method of claim 18,] A system for automatically 
ackets transmitted from a first computer to a second computer, the 



system comprisi lg: 



a bridge 



oupled to the second computer for intercepting a data packet from 



the first comput 



r, [wherein] the data packet [includes] including a header storing key 



management in] brmation providing a mechanism for identifying an encryption 



method used to 



encrypt the new data packet , the bridge including a processor and a 



memory that stc res instructions for decrypting data packets; 



informal 



ion stored in the memory of the bridge correlating the first and second 



computers; and 1 

instructiAns stored in the memory for intercepting the data packet, determining 
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r 



whether the information stored in the memory of the bridge correlates the first and 
second computers, and if so, decrypting the data packet to generate a new data packet 
including a new address header, and transmitting the new data packet onto the second 
computer . 

21 . The method of claim l^\\^eriin the new address header includes information 
indicating the first computer is a source of the new data packet and the second computer is a 
destination of the new data packet. 

22. (Once Amended) A method for receiving data packets from a first 
computer to a second computer through a bfidge including a processor and a memory that 
stores instructions for decrypting data packits and information correlating the first and 
second computers, the method being carriep out according to instructions in the memory of 
the bridge and comprising: I 

intercepting a data packet from the [second] first computer to the second 
, / <C computer^ [portion of] the data pafcket including an address header and a body, the 

A/ / / 

/ ' address header including broadcast addresses of the first and second computers and 

the body including address information representing an internetwork address of the 
first computer and an internetwork address of the second compute r, wherein the 
address information is encryptda ; 

determining whether tne information stored in the memory of the bridge 
correlates the first and second computers, and if so, decrypting the data packet to 
generate a new data packet including a new address header; and 

transmitting the new data packet on to the second computer. 

23. (Once Amended) / The [system] method of claim 22, [where the data 
packet includes an address heacibr and a body,] wherein the body includes fincluding] the 
new data packet in encrypted form. 

24. (Once Amended) [The method of claim 22,] A method for receiving data 
packets from a first computer to a second computer through a bridge including a processor 
and a memory that stores instructions for decrypting data packets and information correlating 
the first and second computers, the method being carried out according to instructions in the 
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memory of the bridge and comprising: 

intercepting a data racket from the first computer to the second computer, the 

data packet including information representing an internetwork address of the first 
computer and an internetwork address of the second computer; 



determining whether 



correlates the first and secon< computers, and if so, decrypting the data packet to 



generate a new data packet ir eluding a new address header; and 



transmitting the new 



lata packet on to the second computer; 



wherein the data packet 
providing a mechanism for identi fyi 
packet. 



he information stored in the memory of the bridge 



includes a header storing key management information 
lg an encryption method used to encrypt the new data 



25. The method of claim 22,\(herein the new address header includes information 
indicating the first computer is a soprce of the new data packet and the second computer is a 
destination of the new data packet. J 



26. (Once Amended) I A method of encrypting data packets, comprising: 
receiving a data packet from a source for a destination, the data packet including a 
header section and a data section, |and] the header section storing a source identifier and a 
destination identifier; 

determining whether the data packet should be encrypted upon reference to at least 
one of the source and destination identifiers; [and] 

if the data packet should/be encrypted, encrypting the data packet to produce an 
encrypted data packet[.] ; and 

generating a new address header and appending the new address header to the 



encrypted data packet, thereby 



wherein the new addre; s header includes a mechanism for identifying an encryption 



generating a modified data packet; 



method used to generate the ei crypted data packet. 



27. (Once Amende i) The method of claim 26, further comprising 
transmitting the [encrypted] m 3dified data packet to the destination. 



28. The method of claim 26, wherein the determining whether the data packet 
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should be encrypted comprises accessing stored information that indicates by presence or 

* 1 ^ 

absence of the source identifier that datk .packets from the source should be encrypted. 



29. The method of claim 26, whetein the determining whether the data packet 
should be encrypted comprises accessing stored information that indicates by presence or 
absence of a correlation between the source and destination identifiers that data packets from 



the source for the destination si 



30. (Once Amended 
packet includes an encrypted data 
section, the encrypted data packlet 



packet after encryption and the 



encrypted data packet data section including the data section 



ould be encrypted. 



The method of claim 26, wherein the encrypted data 
packet header section and an encrypted data packet data 
header section including the header section of the data 



of the data packet after encrypti 



>n, the modified data packet including a header portion 



storing the new address header 



j md a data portion [ the encrypted data packet header section] 



storing the encrypted data pack* t 



3 1 . The method of c 
stores the source and destinatio: 



aim 30, wherein the encrypted data packet header section 
identifiers. 



32. (Once AmendecJ) [The method of claim 30,] A method of encrypting data 
packets, comprising: 

receiving a data packetlfrom a source for a destination, the data packet including a 
header section and a data secti pn, the header section storing a source identifier and a 



destination identifier; 



determining whether the data packet should be encrypted upon reference to at least 



one of the source and destinat 



on identifiers; 



if the data packet shouf d be encrypted, encrypting the data packet to produce an 

encrypted data packet; and 

generating a new addrdss header and appending the new address header to the 

encrypted data packet, therebyigenerating a modified data packet; 

wherein the encrypted data packet includes an encrypted data packet header section 
and an encrypted data packet draa section, the encrypted data packet header section including 
the header section of the data padket after encryption and the encrypted data packet data 
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section including the data sectfcn of the data packet after encryption, the modified data 
packet including a header portio)^ storing the new address header and a data portion storing 
the encrypted data packet; 

wherein the source is a host itomputer in a network and the [encrypted data packet 
header section] header portion of the modified data packet stores an identifier of the network. 

3 3 . (Once Amended) [The method of claim 3 0,] 

A method of encrypting data pacwets, comprising: 

receiving a data packet from a source for a destination, the data packet including a 

header section and a data section, the heaqer section storing a source identifier and a 



destination identifier; 

determining whether the data pack( t should be encrypted upon reference to at least 



one of the source and destination identifier 5 



if the data packet should be encrypted, encrypting the data packet to produce an 



encrypted data packet; and 

generating a new address header ai 



d appending the new address header to the 



encrypted data packet, thereby generating/a modified data packet; 

wherein the encrypted data packei includes an encrypted data packet header section 

and an encrypted data packet data section, the encrypted data packet header section including 
the header section of the data packet after encryption and the encrypted data packet data 
section including the data section of thd data packet after encryption, the modified data 
packet including a header portion storing the new address header and a data portion storing 
the encrypted data packet; 

wherein the destination is a hdst computer in a network and the [encrypted data 
packet header section] header portiop of the modified data packet stores an identifier of the 
network. 

34. The method of claiiSi 26, wherein the source is a host computer or a network. 



35. The method of cl 



network. 



36. (Once Amended) 
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data packets, comprising 

computer code that Vhen executed causes the reception of [receives] a data packet 
from a source for a destination, the data packet including a header section and a data section, 
and the header section storing ^source identifier and a destination identifier; 

computer code that whenWecuted causes the determination of [ determines! whether 
the data packet should be encrypte\l upon reference to at least one of the source and 
destination identifiers; 

computer code that when executed, if the data packet should be encrypted, [encrypts] 
causes the encryption of the data packet to produce an encrypted data packet; [and] 

computer code that when exec uted causes the generation of a new address header and 



appends the new address header to th< 



including a mechanism for identifying 



encrypted data packet, the new address header 



an encryption method used to generate the encrypted 



data packet, thereby generating a moc 



fied data packet; and 



a computer readable medium t lat stores the computer codes 



3 7 . The computer progran 
medium is a memory, random-access 



3 8 . (Once Amended) 
comprising: 

a processor; 

a computer readable mediur^i 
program comprising: 

computer code that j 



product of claim 36, wherein the computer readable 
memory, read-only-memory, disk drive, or CD-ROM. 

A computer system for encrypting data packets, 



coupled to the processor and storing a computer 



len executed by the processor causes the processor to 



[receives] receive a data pac ket from a source for a destination, the data packet 
including a header section a id a data section, and the header section storing a source 
identifier and a destination i dentifier; 

computer code that when executed by the processor causes the processor to 



[determines] determine whether the data packet should be encrypted upon reference to 
at least one of the source anfl destination identifiers; [and] 

computer code that when executed by the processor causes the processor to f if 
the data packet should be endrypted,encrypts] encrypt the data packet to produce an 
encrypted data packet when iuis determined that the data packet should be 
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encrypted I".] -^and 

computed code that when executed by the processor causes the processor to 
generate a new address header and append the new address header to the encrypted 
data packet, therebvVenerating a modified data packet; 

wherein the new address header includes a mechanism for identifying an 
encryption method usea to generate the encrypted data packet. 



39. The computer program product of claim 38, wherein the computer readable 
medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM. 



40. (Once Amended) \ A method of decrypting data packets, comprising: 
receiving a data packet from a source for a destination, the data packet including a 



header section and a data section, an 
identifying a broadcast address of the 



the header section storing a source identifier 
source and a destination identifier identifying a 



broadcast address of the destination ; 

determining whether the data packet is encrypted upon reference to at least one of the 
source and destination identifiers; and 

if the data packet is encrypted' decrypting the data packet to produce a decrypted data 

packet. 

\ / 

41 . The method of claim 40, further comprising transmitting the decrypted data 
packet to the destination. \/ 




42. The method of claim 40, wherein the determining whether the data packet is 
encrypted comprises accessin^stored information that indicates by presence or absence of the 
source identifier that data packets from the source are encrypted. 



43. The method of claim 40, wherein the determining whether the data packet is 
encrypted comprises accessing stored information that indicates by presence or absence of a 
correlation between the souijce and destination identifiers that data packets from the source 
for the destination are encrypted. 
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44. The method^of Vlaim 40, wherein the data section of the data packet includes 
an encrypted header section anayan encrypted data section for the decrypted data packet. 

45. The method of clain\^44, wherein the encrypted header section stores the 
source and destination identifiers. 



46. The method of claim 441 wherein the source is a network and the encrypted 



^re 



header section stores an identifier of a hpst computer in the network 



47. The method of claim 44, ^herein the destination is a network and the 
encrypted header section stores an identifier of a hostaomputer in the network. 



49. 
network. 



48. The method of claim 40, wherein the sources a host computer or a network. 



The method of claim 40, wherein the destination is^ host computer or a 



50. (Once Amended) A/computer program product adapted for decrypting 
data packets, comprising: 

computer code that when execfated causes the reception of freceivesl a data packet 
from a source for a destination, the data packet including a header section and a data section, 
and the header section storing a souiice identifier identifying a broadcast address of the source 
and a destination identifier identifying a broadcast address of the destination ; 

computer code that when executed causes the determination of [determines! whether 
the data packet is encrypted upon/-eference to at least one of the source and destination 
identifiers; 

computer code that wlW executed and if the data packet is encrypted, [decrypts] 
causes the decryption of the datA packet to produce a decrypted data packet; and 
a computer readable medium that stores the computer codes. 

5 1 . The computer pjrogram product of claim 50, wherein the computer readable 
medium is a memory, random-kccess-memory, read-only-memory, disk drive, or CD-ROM. 
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52. (Once Amended) A computer system for decrypting data packets, 
comprising: 

a processor; 

a computer readable mediu\^i coupled to the processor and storing a computer 
program comprising: 

computer code that wl\en executed on the processor causes the processor to 



[receives] receive a data packe 
including a header section and 



from a source for a destination, the data packet 
a data section, and the header section storing a source 



identifying a broadcast address 



computer code that wh 



identifier identifying a broadca >t address of the source and a destination identifier 



of the destination ; 



?n executed on the processor causes the processor to 



[determines] determine whether the data packet is encrypted upon reference to at least 
one of the source and destination identifiers; and 

computer code that wjnen executed on the processor causes the processor to if 
the data packet is encrypted,/[decrypts] decrypt the data packet to produce a decrypted 
data packet. 

\ 

53. The computer program product of claim 52, wherein the computer readable 
medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM. 



Please ADD new claims as follows: 



54. A system for automatically encrypting and decrypting data packets transmitted from a 
first host computer on a first computer network, the first host computer having a first 
processor and a first memory,|via an internetwork to a second host computer on a second 
computer network, the second host computer having a second processor and a second 
memory, the system including 



security data s 
packets meeting at le 



ored in said first and second memories indicating that data 
t one predetermined criterion are to be encrypted; 
instructions stored in said first memory for determining whether to encrypt 
one or more data packets, by determining whether said at least one predetermined 
criterion is met by said ©ne or more data packets; 
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instructions stored in said first memory for executing encryption of at least a 
first one of said one or more data packets according to a predetermined 
encryption/decryption mechanism, when said at least one predetermined criterion is 
met, for generating a new address header for said first data packet and for appending 
an encapsulation header to said Wst data packet and transmitting said first data packet 
to said second host, said encapsulation header including said new address header and 
a mechanism for identifying said predetermined encryption/decryption mechanism; 

instructions stored in said s scond memory for receiving said first data packet, 
determining whether it has been en ;rypted by reference to said security data in said 
second memory, and if so then dete mining which encryption/decryption mechanism 
was used for encryption, and decryj ting said first data packet by use of said 
decryption key. 

55. The system as recited in claim 54, \ therein at least one of said decryption key and said 
predetermined encryption/decryption mecqanism are provided in encrypted form within said 
encapsulation header. 



C 



56. The system of claim 15, wherein said correlation data includes: 

encryption rules identifying sourae and destination networks to and from which 



packets are to be encrypted; and 

host information indicating exceptions to the encryption rules. 

57. A system for automatically encrypting data packets for transmission from a first host 
computer on a first computer network to a second host computer on a second computer 
network, said first host computer including a first processor and a first memory including 
instructions for transmitting said da/a packets from said first host to said second host, the 
system including: 

a bridge computer cfoupled to the first computer network for intercepting at 
least a first data packet transmitted from said first computer network, said bridge 
computer including a seco id processor and a second memory storing instructions for 

d first data packet according to a predetermined 
lanism; 



executing encryption of sa 
encryption/decryption mec 



information stored in said second memory correlating at least one of the first 
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host computer and the first network with one of the second host computer and the 
second network, respectively; and 

instructions storedVn said second memory for intercepting said first data 
packet before departure from said fkst network, determining whether said correlation is 
present, and if so, then executing encryption of said first data packet according to said 
predetermined encryption/decryption mechanism, generating a new address header including 
the internetwork broadcast addresses of the first and second computer networks and 
appending said new address header to said first data packet, thereby generating a modified 
first data packet on to the second host computer. 



58. A computer program product ada )ted for encrypting data packets, comprising: 

computer code that when execute I on a computer causes the computer to receive a 

, the data packet including a header section and a 
data section, and the header section storing a source identifier and a destination identifier; 

computer code that when executep on a computer causes the computer to determine 
whether the data packet should be encrypted upon reference to at least one of the source and 
destination identifiers; 

computer code that when executed on a computer causes the computer to, if the data 
packet should be encrypted, encrypt the/data packet to produce an encrypted data packet; 

computer code that when executed on a computer causes the computer to generate a 
new address header storing at least onaof a broadcast address associated with the source and 
a broadcast address associated with the destination, and append the new address header to the 
encrypted data packet, thereby generating a modified data packet; and 
a computer readable medium Ahat stores the computer codes. 



59. A computer system for encrypting data packets, comprising: 
a processor; 

a computer readable mediJm coupled to the processor storing a computer program 
comprising: 

computer code th^t when executed by the processor causes the processor to 
receive a data packet from a source for a destination, the data packet including a 
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header section and a data section, and the header section storing a source identifier 
and a destination identifier; 

computer code that when exe:uted by the processor causes the processor to 
determine whether the data packet should be encrypted upon reference to at least one 
of the source and destination identifiers; 

computer code that when exe mted by the processor causes the processor to if 
the data packet should be encrypted, jsncrypt the data packet to produce an encrypted 
data packet; and 

computer code that when executed by the processor causes the processor to 
generate a new address header stonng at least one of a broadcast address associated 
the source and a broadcast address associated with the destination, and append the 
new address header to the encryp/ed data packet, thereby generating a modified data 
packet. 



60. A method of decrypting data/packets, comprising: 

receiving a data packet from a source for a destination, the data packet including a 
header section and a data section,)and the header section storing a source identifier, a 
destination identifier, and encryption information providing a mechanism for identifying an 
encryption method used to generate the data packet; and 

decrypting the data packet to produce a decrypted data packet. 



61 . The method as r6cited in claim 60, further comprising: 

determining fijom the header section whether the data packet is encrypted; and 

wherein deofypting the data packet to produce a decrypted data packet is performed if 
it is determined that the data packet is encrypted. 



62. The mfethod as recited in claim 60, wherein decrypting the data packet to produce a 
decrypted dafta packet comprises: 

decjlypting at least one of the data section of the data packet and the encryption 
informatic 
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63. The method as recited in claim 60, wherein the data section includes a packet header 
and a packet bodAand wherein decrypting the data section of the data packet comprises 
decrypting at least one of the packet header and the packet body. 



64. A computer program product adapted for decrypting data packets, comprising: 

computer code tha\ when executed on a computer causes the computer to receive a 
data packet from a source f&r a destination, the data packet including a header section and a 
data section, and the header section storing a source identifier, a destination identifier and 
encryption information including a mechanism for identifying an encryption method used to 
generate the data packet; 

computer code that whin executed on a computer causes the computer to decrypt the 
data packet to produce a decrypted data packet; and 

a computer readable meflium that stores the computer codes. 



65. The computer program product as recited in claim 64, further comprising: 

computer code that whenlexecuted on a computer causes the computer to determine 
from the header section whether the data packet is encrypted; and 



computer code that when 



computer code that when 
data packet using the encryption 



sxecuted on a computer causes the computer to decrypt the 



data packet if it is determined tha; the data packet is encrypted 



66. The computer program pr Dduct as recited in claim 64, further comprising: 



executed on a computer causes the computer to decrypt the 
nethod. 



67. A computer system for decrypting data packets, comprising: 
a processor; J 

a computer readable medium coupled to the processor storing a computer program 
comprising: 

at when executed on the processor causes the processor to 
receive a data packet from a source for a destination, the data packet including a 
header section and a datalsection, and the header section storing a source identifier, a 
destination identifier and Encryption information including a mechanism for 
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